In this step, you set up federation with your corporate identity provider and configure the IdP settings on the Workspace ONE Access tenant created for your enterprise.

You can use any SAML 2.0 compliant third-party IdP to set up enterprise federation with VMware Cloud services. Easy setup is available as part of the self-service federation workflow for the following providers: Okta, PingIdentity, Microsoft Active Directory Federation Services (ADFS), OneLogin, and Azure Active Directory.

To configure a different SAML 2.0 compliant third-party IdP that is not part of this list, select Other.

For this example, ACME enterprise is using Okta. As the Enterprise Administrator setting up federation for ACME, you configure Okta.


  1. In the Configure identity provider section of the Set up Enterprise Federation page, click Start.
    The Select your identity provider section displays.
  2. From the list of available third-party identity providers, click Okta.
  3. Click Next.
    The Set up SAML within your identity provider section expands.
  4. Click the View SAML Service Provider Metadata link and download the metadata file.
    If your identity provider supports a URL format, you can also copy the Metadata URL. You use the metadata file or the URL to configure your identity provider to establish trust with the Workspace ONE Access tenant.
  5. Copy the Single Sign-On URL and Audience URI path.
  6. Open your IdP's admin console.
    1. Paste the Single Sign-On URL and Audience URI you copied in the previous step.
    2. Upload the metadata file you downloaded in Step 4 of this task.
    3. Copy the Name ID configured on your IdP and keep for further reference.
    4. Download the IdP's metadata file.
  7. When ready with your IdP's configuration, go back to the self-service federation workflow, expand the Set up SAML within your identity provider section, and click Next.
    The Configure your identity provider section of the workflow expands.
  8. To configure your IdP on the Workspace ONE Access tenant, provide the following:
    1. In the IdP Display Name text box, enter a user-friendly name for your IdP.
      This name will be displayed to the users of VMware Cloud services at login and logout.
    2. In the Metadata text box, enter the IdP Metadata URL or select XML and paste the Identity Provider Metadata XML file.
      Validation of the metadata starts automatically. When validation finishes, a green check box icon indicates that the file was read and parsed successfully. If the validation returns an error, check if the URL you entered is correct. Ensure that there are not extra spaces or characters in the IdP metadata XML file.
    3. Select the Name ID format from the drop-down menu.
      The Name ID format is the value in the SAML response to identify the authenticated user.
    4. Select the Name ID Format and Name ID Value from the drop-down menu as applicable for your identity provider.
      The Authentication Method is automatically populated.
    5. From the SAML Context drop-down menu, select the type of user authentication on the IdP.
    6. Click Next.
    The User attributes section expands to display a list of the mandatory and non-mandatory user attributes that you can look for in the SAML response from your identity provider.
  9. (Optional) To add a custom user attribute that is not in the list, click Add User Attribute and enter a value matching exactly its name on your IdP.
  10. Click Next.
    If you indicated your setup with an identity provider that supports group attribute in SAML response, the Group attributes section of the workflow expands, where you add a group attribute and group names to be called for in the SAML request.
  11. (Optional) From the drop-down menu, select a group attribute and group names.
  12. In the Set user identification preference section, select how users of your enterprise are going to identify themselves when accessing VMware Cloud Services from the Cloud Services discovery page.
    User identification is different from how the user authenticates against your enterprise identity provider.
  13. Click Configure.


In this step, you added your identity provider to the Workspace ONE Access tenant configuration, configured the Workspace ONE Access tenant as a service provider on your IdP, selected the value to be used for identifying the user in the SAML response, and specified the authentication method to be used to authenticate the user on the identity provider.

What to do next

Validate the login to your IdP and activate federation.